Wow! A configuration management program that worked · PDF fileA configuration management...

Wow! A configuration management program that worked the first time!Stuart Smith | Transurban

5 minutes Intro

5 minutes Why Bother

5 minutes What were the challenges how were these overcome

10 minutes Leveraging existing tools (Technical section)

15 minutes Benefits

5 minutes What does the CMDB look like today and what are the next steps

5 minutes Questions

Agenda

Configuration Management 2

Incumbent tool was due for upgrade

Undertook a review of tools looking for best of breed, SAAS solution

Tool must support the organisation’s fast paced growth and align to corporate strategy

– Position for the future

– Get faster

– Deliver increasing value

Incumbent system did not have an integrated CMDB

One of the key deliverables was a fully functioning, largely auto populated CMDB

Introduction


Applications and Infrastructure

– Projects asking how many servers, applications, databases or details about these

– Senior Management don’t understand why you are so busy

– Complex and time consuming to understand life-cycle replacements

– Unable to explain everything you are managing and how it is interconnected

– Receive requests which do not have all the correct details

– Outages caused by expiration of digital certificates

Why Bother?


Infrastructure

– Not knowing who owns an application or who should approve a change

– Unable to get outage times and approvals– Unsure of what groups of Servers to Patch

and when– Get flooded by alerts

Service Management

– Have multiple regions you want to report by– Inconsistent and poor details provided in

service requests Security

– Find it complex to manage your Payment Card Industry (PCI) compliance

Create a High-Level Model

5

Data Model: Determine level of depth you want to manage and what can reasonably be discovered automatically.

What tools are available and hence, what integrations are required

What fields are required to meet the objectives

How to automate the creation of most (if not all) CIs and relationships

Technical considerations (eg. Integration method)

Leverage Existing Tools


DiscoveryCMDB

Discovery

Slide subheadingTools and Integrations


Integrations: Determine the integrations required to capture the source data Servers – SCOM Network – Solarwinds Database – Oracle Enterprise Manager

(OEM) Desk/Laptops – SCCM Windows server – SCCM Applications – Manually created Mobile devices – AirWatch (post go-live) VMs – Vcentre (post go-live)

SCOM

SCCM

Solarwinds

OEM

Thawte

Internal CAMID

ServiceNow

DISCOVERED ASSETS

DISCOVERED CIs

DISCOVEREDCIs

DISCOVEREDASSETS

IN17

IN2,4,16 IN2,4,16

DISCOVEREDCIs

DISCOVEREDASSETS

Slide subheadingIntegration Method


Method – Determine Target Tables, create integration specification and the integration method– Webservice– JDBC– Email etc.

Reconciliation Identifiers - are used to determine the order we try and match on keys – try to match on SCOM ID, then FQDN, then Name?

Copy Empty Fields - If set to YES and discovery source has a NULL field, the CMDB is over written with blanks.

Met with each CI Class owner(eg. Server, Network Device etc.)

Included any additional fields required to meet the overall objectives

Mapping Fields


Choice Action:

“create” enables the creation of new reference values (eg. create a new Make/Model in the CMDB, if one does not exist for this make/model)

Mapped fields from the source system to the CMDB Determined if some values could be used to auto

update reference data (eg. Make/Model) Determined what fields they required

Based on data sources, determine what fields can be used to build relationships

Using discovery precedence, load relationships between CIs (typically using the same source)

Log exception report where correlation failed Tune engine to improve matches, or manually deal with exceptions

Auto Create Relationships


Source Target Coalesce Choice action

source.u_network child TRUE REJECT

Source.u_server parent TRUE REJECT

"CONNECTED BY::CONNECTS" type TRUE REJECT

Data from Solarwinds provides: • The key/unique id from a network device u_network

• The key/unique id from a server device u_server

• We then create a parent to child relationship with the terms Connected By and Connects

Don’t create a new relationship, if one

existsDon’t create a new CI

Slide subheadingTechnical considerations


Alerting for failed discovery and transformation tasks

Connection method (eg. Web Service, email etc. )

Never perform creates on the same Class from multiple sources

– Discover from primary source and then update additional data from secondary source(s)

Challenges


Challenge Overcome by

Getting time and commitment of Subject Matter Experts from each CI owner group

Strong sponsorship from senior management (CIO / GGM) Regular steering committee meeting where issues were

flagged Ensure we built a CMDB that provided benefits to the team

(explained in more detail upcoming slides)

Loading data/mapping fields and mapping relationships

Need a resource with in-depth understanding of configuration management

Auto-populating data versus manual updates. Everyone wants everything auto-populated

Explaining cost benefit to SMEs Escalating to the steering committee if the SMEs could not be

convinced

Ongoing population of the CMDB Ensured managers bought into the value All staff were put through training sessions Configuration Manager to drive/uplift compliance Reports compliance provided to GM and above

Tips


Tips Explanation

Configuration Management is a journey Ensure stakeholders expectations are met Expect 1 to 2 years to reach end state

Don’t under-estimate the effort Ensure adequate resourcing, such as: A Configuration Manager Technical expert to create the CMDB Technical staff to provide the details and help with mapping

Ensure stakeholders understand the difference between Configuration and Asset Management

Avoid confusion regarding the end state deliverable

Understand the benefits To sell why you are implementing Configuration Management

End of Technical sectionQuestions?

Benefits / Savings

Want to ensure there are real savings / benefits?

Activity Saving Comment

Change Manager effort 25% Easier to see impacts, add approvers

Change creation 62.5% quicker

Reducing alert SPAM’ing 150 hours/month SCOM put in to maintenance mode

Self Service Portal (SSP) Requests Days quicker Improvement based on empirical data. Previously there was no SSP. Average SSP provisioning is 4-hours

Server patching 13 hours / month Based on 2 patching cycles (Dev then Prod)

Easier Life-cycle management Several Months Previous project ran for over 12 months

Providing Projects with accurate CI data

Days/request Often requests took days, can now provide info in minutes

Network firewall burns 30% Absorbed 30% growth with no FTE increase

PCI Compliance N/A Improved compliance/governance

Reduced SD call Volume 30% SSP task are sent directly to the resolver group

Benefits


Slide subheadingLocation Data and Data Classifications


User Locations:Locations that the services / application is provisioned. Staff understand which regions they need to take into consideration, different financial reporting, different public holidays etc.

Info Classification:Is data highly confidential (eg. HR data)

PCI Compliance:Is the data within scope of PCI compliance, what additional checks/approvals need tobe under taken to ensure PCI rules are met

Privacy Compliance:What privacy rules must be metor considered

TISA compliance:TU has third party agreements with the roadside, this requires certain rules, such as outage lead times and communications

Slide subheadingBusiness Criticality


Business Criticality: Used to define the SLAs for the service/application. This is used for reporting and can be used for managing the overall end-to-end service (where the underlying Infrastructure is not built to the same level criticality).

– Transurban use Gold / Silver / Bronze

Slide subheadingLife-Cycle Management


Support End date:Dates can be used to pull reports for life-cycle replacement

Potential Saving:

Last time LCM was a project that ran for over 12 months (just to collect and validate data)

Slide subheadingAssignment and Approvers


Assignment:Incidents and requests are directly assigned from the self-service portal to teams based on populated assignment groups, thus skipping the IT Service Desk

Approval:Approvers of a Change are driven from approval groups on the configuration item and a secondary approval group can be added, for instance to ensure that a Change is approved for both the Aus. and USA regions

Effort Saved:

Minor Change review is 50% quicker, saving

25% of total Change Manager effort

Slide subheadingDependency Mapping


Dependency Maps:Can be used to understand the impact a server, database or Network component can have on applications and services

Improvement:

Helped to half the amount of time spent reviewing changes

Slide subheadingPatching Cycles - Security


Patching Group: Can be driven by adding CIs to a patching group and patching can be automated off this

Patching Exemptions: Servers can be omitted from patching if there are risks associated with performing the patch (eg. Applications running on the server are not supported on the patch level)

Patching Instructions: Special instructions can be added eg. Check alerting is re-enabled

Effort Saved: 7 hours/patching cycle (Windows Fleet - 570 Production and 154 Dev/Test servers)

Slide subheadingSCOM Alerts – Put into Maintenance Mode


SCOM Alerts:By integrating SNOW and SCOM and loading the CIs, when a Change is raised and outage records created, the SCOM servers are placed into maintenance mode, thus preventing spamming of alerts during a valid outage

Effort saved:

150 hours/month

Slide subheadingUpstream Applications


Upstream Applications: Users can add upstream applications etc. to an Infrastructure change which will then show any impacted upstream components, reducing the likelihood of an application/service outage

PCI Compliance


PCI Compliance: When Changes are approved by a peer and moved from Peer Review

to Tech & Change Review the Dependency map is checked to see if the application is within PCI scope and an additional approver can be added. Weekly reports are also produced detailing if PCI configuration items have been changed.

Certificate Expiration


Digital Certificates:Are managed across the enterprise to ensure certificates are upgraded, before they expire. Since go-live we have seen no incidents resulting from expired certificates.

Value:

Reduces the risk of an outage caused by expired certificates

Portal Home Page


Sample Service Requests


Self Service Request – Driven from CMDB


Improved self-service:As a number of requests can be driven off the CMDB. For example, a system to system firewall rule can have the source/destination firewalls populated, ensuring appropriate approval and that the right information is provided in the request.

Effort saved:

30% increase in volume, with no increase in people

Improved Self Service


Improved self-service:If the relevant Configuration Item is selected, then the request is immediately assigned to the correct team.

Savings:

Together with knowledge articles, and self-service forms, this has reduced help desk

call volume by ~50%.

Auto Create new CIs


Improve CI Creation:New Application CIs are QA’d and created through a new form.

Savings:

5% Configuration Manager saving

End of Benefits sectionQuestions?

Current Dashboard vs Improved Dashboard

Loading vCentre data automatically – Expected a saving: 4-weeks/annum

Creating services and mapping to applications

Loading mobile billing data

Current CMDB and looking into the future


Current Dashboard


Improved reporting: Ability to monitor exceptions in the CMDB, such as stale, duplicate and orphaned CIs

CMDB – Completeness / Compliance / CorrectnessImproved Dashboard


Contact Details

Email: [email protected]

LinkedIn: https://au.linkedin.com/in/stuart-smith-43b4923


End PresentationQuestions?

Wow! A configuration management program that worked · PDF fileA configuration management...

Documents

Transcript of Wow! A configuration management program that worked · PDF fileA configuration management...